CVE-2026-4250 in Albert Health
Summary
by MITRE • 03/16/2026
A vulnerability was found in Albert Sağlık Hizmetleri ve Ticaret Albert Health up to 1.7.3 on Android. Affected is an unknown function of the file resources/assets/service-account.json of the component Google Cloud Service Account Key Handler. Performing a manipulation results in unprotected storage of credentials. The attack requires a local approach. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/21/2026
This vulnerability resides within the Albert Sağlık Hizmetleri ve Ticaret Albert Health Android application version 1.7.3 and earlier, specifically targeting the Google Cloud Service Account Key Handler component. The flaw manifests in the improper handling of credentials within the resources/assets/service-account.json file, creating a critical security weakness that allows for unprotected storage of sensitive authentication materials. The vulnerability represents a significant departure from secure coding practices and demonstrates a fundamental failure in credential management within the mobile application's architecture.
The technical implementation flaw stems from the application's failure to properly secure sensitive information during storage operations. When the service-account.json file containing Google Cloud Service Account keys is written to device storage, the credentials remain unencrypted and accessible to any process running with appropriate privileges. This vulnerability directly maps to CWE-312 (CWE-312: Cleartext Storage of Sensitive Information) and CWE-522 (CWE-522: Insufficiently Protected Credentials) within the Common Weakness Enumeration catalog. The attack vector requires local system access, making it a local privilege escalation vulnerability that can be exploited by malicious applications or compromised user accounts with device access.
The operational impact of this vulnerability is substantial as it creates a persistent security risk for organizations relying on the Albert Health application for healthcare services. The unprotected storage of Google Cloud Service Account keys provides attackers with direct access to cloud resources that may contain sensitive patient data, medical records, and other confidential information. This exposure could lead to unauthorized data access, potential data breaches, and compliance violations under healthcare regulations such as HIPAA. The difficulty of exploitation and high attack complexity suggest that while not trivial to exploit, the vulnerability remains a significant threat vector that could be weaponized by determined attackers.
The public availability of exploit code further amplifies the risk profile of this vulnerability, as it removes the barrier to entry for potential attackers who may not possess advanced technical skills. The vendor's lack of response to early disclosure attempts creates a dangerous gap in the security ecosystem, leaving organizations using the application exposed without official patches or remediation guidance. Security professionals should consider implementing immediate mitigations such as device encryption enforcement, application sandboxing, and monitoring for unauthorized access to sensitive files. The vulnerability also highlights the importance of secure credential handling practices and proper security testing in mobile healthcare applications, particularly those dealing with sensitive patient information and cloud service integrations. Organizations should conduct thorough security assessments of their mobile applications and consider alternative credential storage mechanisms that provide proper encryption and access controls for sensitive authentication materials.